Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
This commit is contained in:
mukul975
2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
+21
View File
@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 Anthropic Agent Skills Contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
@@ -0,0 +1,62 @@
# API Reference: Monitoring Dark Web Sources
## Have I Been Pwned API v3
| Endpoint | Method | Description |
|----------|--------|-------------|
| `/api/v3/breaches` | GET | List all known data breaches |
| `/api/v3/breach/{name}` | GET | Get details of a specific breach |
| `/api/v3/pasteaccount/{email}` | GET | Search paste site archives for an email |
| `/api/v3/breachedaccount/{email}` | GET | Check if email appears in breaches |
## Dehashed API
| Endpoint | Method | Description |
|----------|--------|-------------|
| `/search?query=domain:example.com` | GET | Search exposed credentials by domain |
| `/search?query=email:user@example.com` | GET | Search by specific email address |
## Ransomware.live API
| Endpoint | Method | Description |
|----------|--------|-------------|
| `/recentvictims` | GET | List recent ransomware leak site victims |
| `/groups` | GET | List tracked ransomware groups |
| `/group/{name}` | GET | Get details for a specific ransomware group |
## Recorded Future Dark Web Module
| Endpoint | Method | Description |
|----------|--------|-------------|
| `/v2/darkweb/search` | GET | Search dark web mentions by keyword |
| `/v2/credentials/search` | GET | Search exposed credentials |
## Key Libraries
- **requests**: HTTP client for HIBP, Dehashed, and ransomware.live APIs
- **spiderfoot** (CLI): OSINT automation including dark web module `sfp_darkweb`
- **theHarvester**: Domain reconnaissance including breach data sources
## Configuration
| Variable | Description |
|----------|-------------|
| `HIBP_API_KEY` | Have I Been Pwned API key (paid tier for domain search) |
| `DEHASHED_API_KEY` | Dehashed API key for credential exposure search |
| `DEHASHED_EMAIL` | Dehashed account email for API authentication |
| `RF_API_TOKEN` | Recorded Future API token for dark web module |
## Rate Limits
| API | Rate Limit |
|-----|------------|
| HIBP | 10 requests/minute (paid key) |
| Dehashed | 5 requests/second |
| Ransomware.live | No published limit (be respectful) |
## References
- [Have I Been Pwned API](https://haveibeenpwned.com/API/v3)
- [Dehashed API Docs](https://www.dehashed.com/docs)
- [Ransomware.live](https://www.ransomware.live/)
- [SpiderFoot OSINT](https://github.com/smicallef/spiderfoot)
@@ -0,0 +1,196 @@
#!/usr/bin/env python3
"""
Dark Web Source Monitoring Agent
Monitors dark web forums, paste sites, and ransomware leak sites for
organizational asset mentions using commercial APIs and OSINT tools.
"""
import json
import os
import re
import sys
from datetime import datetime, timezone
import requests
HAVE_I_BEEN_PWNED_API = "https://haveibeenpwned.com/api/v3"
DEHASHED_API = "https://api.dehashed.com/search"
def check_breach_exposure(domain: str, hibp_api_key: str) -> list[dict]:
"""Check Have I Been Pwned for domain breach exposure."""
if not hibp_api_key:
return [{"error": "HIBP_API_KEY not set"}]
headers = {
"hibp-api-key": hibp_api_key,
"user-agent": "DarkWebMonitor-Agent",
}
resp = requests.get(
f"{HAVE_I_BEEN_PWNED_API}/breaches",
headers=headers, timeout=30,
)
if resp.status_code != 200:
return [{"error": f"HIBP returned {resp.status_code}"}]
breaches = resp.json()
relevant = []
for breach in breaches:
if domain.lower() in breach.get("Domain", "").lower():
relevant.append({
"name": breach["Name"],
"domain": breach["Domain"],
"breach_date": breach.get("BreachDate", ""),
"pwn_count": breach.get("PwnCount", 0),
"data_classes": breach.get("DataClasses", []),
"is_verified": breach.get("IsVerified", False),
})
return relevant
def search_paste_sites(org_keywords: list[str], api_key: str) -> list[dict]:
"""Search paste site archives for organization mentions."""
results = []
for keyword in org_keywords:
resp = requests.get(
f"{HAVE_I_BEEN_PWNED_API}/pasteaccount/{keyword}",
headers={"hibp-api-key": api_key, "user-agent": "DarkWebMonitor-Agent"},
timeout=30,
)
if resp.status_code == 200:
pastes = resp.json()
for paste in pastes:
results.append({
"keyword": keyword,
"source": paste.get("Source", ""),
"id": paste.get("Id", ""),
"title": paste.get("Title", ""),
"date": paste.get("Date", ""),
"email_count": paste.get("EmailCount", 0),
})
return results
def check_credential_exposure(domain: str, dehashed_key: str, dehashed_email: str) -> dict:
"""Search Dehashed for exposed credentials matching domain."""
if not dehashed_key:
return {"error": "DEHASHED_API_KEY not set", "results": []}
resp = requests.get(
DEHASHED_API,
params={"query": f"domain:{domain}", "size": 100},
auth=(dehashed_email, dehashed_key),
headers={"Accept": "application/json"},
timeout=30,
)
if resp.status_code != 200:
return {"error": f"Dehashed returned {resp.status_code}", "results": []}
data = resp.json()
entries = data.get("entries", [])
return {
"total_exposed": data.get("total", 0),
"results_returned": len(entries),
"sources": list(set(e.get("database_name", "") for e in entries)),
"sample_entries": [
{"email": e.get("email", ""), "source": e.get("database_name", ""),
"has_password": bool(e.get("password") or e.get("hashed_password"))}
for e in entries[:20]
],
}
def monitor_ransomware_leak_sites(org_name: str) -> dict:
"""Check ransomware leak site intelligence feeds for organization mentions.
Uses Ransomware.live API (public aggregator)."""
results = {"mentions": [], "checked_groups": []}
resp = requests.get(
"https://api.ransomware.live/recentvictims",
timeout=30,
)
if resp.status_code == 200:
victims = resp.json()
for victim in victims:
victim_name = victim.get("victim", "").lower()
if org_name.lower() in victim_name:
results["mentions"].append({
"victim": victim.get("victim", ""),
"group": victim.get("group_name", ""),
"discovered": victim.get("discovered", ""),
"url": victim.get("post_url", ""),
})
resp2 = requests.get("https://api.ransomware.live/groups", timeout=30)
if resp2.status_code == 200:
groups = resp2.json()
results["checked_groups"] = [g.get("name", "") for g in groups[:30]]
return results
def generate_monitoring_report(
domain: str, breaches: list, pastes: list, creds: dict, leak_results: dict
) -> str:
"""Generate dark web monitoring report."""
lines = [
"DARK WEB MONITORING REPORT",
"=" * 50,
f"Monitored Domain: {domain}",
f"Report Date: {datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M UTC')}",
"",
"BREACH EXPOSURE:",
f" Known Breaches Involving Domain: {len(breaches)}",
]
for b in breaches[:5]:
lines.append(f" - {b['name']} ({b['breach_date']}) - {b['pwn_count']:,} accounts")
lines.extend([
"",
"PASTE SITE EXPOSURE:",
f" Paste Mentions Found: {len(pastes)}",
])
lines.extend([
"",
"CREDENTIAL EXPOSURE:",
f" Total Exposed Records: {creds.get('total_exposed', 0):,}",
f" Source Databases: {len(creds.get('sources', []))}",
])
lines.extend([
"",
"RANSOMWARE LEAK SITES:",
f" Groups Monitored: {len(leak_results.get('checked_groups', []))}",
f" Mentions Found: {len(leak_results.get('mentions', []))}",
])
for m in leak_results.get("mentions", []):
lines.append(f" - {m['victim']} by {m['group']} ({m['discovered']})")
return "\n".join(lines)
if __name__ == "__main__":
domain = sys.argv[1] if len(sys.argv) > 1 else "example.com"
hibp_key = os.getenv("HIBP_API_KEY", "")
dehashed_key = os.getenv("DEHASHED_API_KEY", "")
dehashed_email = os.getenv("DEHASHED_EMAIL", "")
print(f"[*] Dark web monitoring for: {domain}")
breaches = check_breach_exposure(domain, hibp_key)
pastes = search_paste_sites([f"@{domain}"], hibp_key)
creds = check_credential_exposure(domain, dehashed_key, dehashed_email)
leak_results = monitor_ransomware_leak_sites(domain.split(".")[0])
report = generate_monitoring_report(domain, breaches, pastes, creds, leak_results)
print(report)
output = f"darkweb_monitor_{domain.replace('.', '_')}_{datetime.now(timezone.utc).strftime('%Y%m%d')}.json"
with open(output, "w") as f:
json.dump({"breaches": breaches, "pastes": pastes, "credentials": creds, "leak_sites": leak_results}, f, indent=2)
print(f"\n[*] Results saved to {output}")